Thanks a lot for explaining the situation and alternative paths forward. My view as a user:
I only want OpenJDK7 (maybe OpenJDK8 when that becomes generally available on September 9, 2013 :-) Oracle has announced that no more new public updates of Java SE 6 will be made available after February 2013: http://www.oracle.com/technetwork/java/eol-135779.html OpenJDK6 therefore should be considered obsolete when Wheezy is released. Is there any collaboration with other distributions and/or the OpenJDK project on this ? Cheers, Andreas --- Matthias Klose: > There is a bug report open for openjdk-6 in wheezy (#675495) and squeeze > didn't > see any security updates for several months. To summarize, no party involved > is > capable or willing to provide security updates based on backports of single > patches to the released openjdk-6 version in a stable release. So what to do > about it? > > - Remove openjdk-6 in wheezy. Probably would require falling back to > gcj. Not recommended as a runtime environment, but should work fine > for building packages, as ecj is used for byte-code compilation. > Falling back to an easier-to-main jvm could be an option too, but > I didn't check how well that would work. > Not having a fall-back would require removing most of java in Debian. > > - Updating to openjdk-7 in wheezy would not solve any issues from my > point of view, and it would need some porting of packages to 7, and > probably removing some packages which are not yet ported. > Otoh removing openjdk-7 for wheezy could be an option if only one > version should be supported for a stable release. > > - Release openjdk-6 with wheezy, and provide security support by > updating to new OpenJDK and IcedTea versions. Usually this does > include some backports and other fixes. The potential for > regressions could be higher, however even the single security fixes > show regressions, as shown by the last security update on Feb 1. > > These builds could be provided as security updates, updates to > the stable releases, or as backports. As a proof of concept, see [1]. > > - Release openjdk-7 with wheezy, and do the same as with openjdk-6. > The issue here is that 7 sees more changes than 6, and that the > current openjdk-7 release doesn't build anymore on mips or mipsel, > as communicated to the Debian mips porters, so an update would > require removal of the binary mips packages. Fine if somebody wants > to fix it, but apparently there is no-one interested in that. So > this looks more difficult than the openjdk-6 updates. Removing > the openjdk mips binaries would require changes to source packages > building arch any packages and build-depending on default-jdk or > openjdk. > > We should find a solution where the resources are available to handle this > solution. In the OpenJDK team, I think it's safe to assume that Torsten > Werner > isn't currently working on openjdk anymore and recently I got an email from > Damien Raude-Morvan, that he can't work on OpenJDK-7 in the forseeable future > anymore. Apparently one of the security team members who did work on OpenJDK > security updates left the team too. I think that moving maintainership to the > Debian Java team would just make the maintainership issue less explicit. > > While not a that important issue, the mips and kfreebsd issue could be > improved > as well: > > - The mipsel porter box is again down for several months. Having a porter > box to test backports would be appreciated (yes, openjdk-7 in experimental > currently fails on mips, not mipsel). > > - Afaik openjdk-7 for kfreebsd does build on kfreebsd (according to Damien) > with the kfreebsd kernel from wheezy. So maybe some commitment could be > found to upgrade and maintain the kernels before wheezy is released? > > Matthias > > [1] deb http://people.debian.org/~doko/tmp/openjdk-6-squeeze ./ > > -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5121c991.5020...@ping.de
